The present invention relates to a storage system in which it is possible to access a storage apparatus from a computer, and more particularly to a migration method of encrypted data and a management computer to perform management thereof.
First, a storage extent (volume) network which has been used from the past is explained.
A network which connects one or more external storage apparatuses and one or more computers is called a storage extent network (SAN) (for example, refer to Published Japanese Patent Application No. 2004-005370). This SAN has a characteristic of excellent scalability since a storage capacity and a computer can be easily added and deleted at a later date, though the SAN is often used especially when a plurality of computers share one large-scale storage apparatus.
Next, management of encrypted data in the storage extent network is explained.
There is a technology which is to prepare for tapping and falsification from the outside by encrypting data stored on a storage apparatus. There is a technology in which an encryption apparatus is installed in SAN, for example, and encryption and decryption are performed by having data once pass through this encryption apparatus at the time of input and output the data from a host computer to a storage system (refer to U.S. Patent Application Publication No. 2004/153642A1).
Published Japanese Patent Application No. 2001-331380 discloses a technology in which encrypted data is saved and the encrypted data is decrypted appropriately when an apparatus of a receiving side receives the encrypted data at the time of performing a data copy between storage systems using a remote copy technology. Also, an encryption processor is installed on the storage system as shown in FIG. 5 so that the encryption and decryption of data can be performed on this apparatus.
In addition, Published Japanese Patent Application No. 2002-351747 discloses a method of encrypting a storage extent and saving in another storage extent in order to back up the storage extent within a disk array apparatus (equivalent to a logical storage extent of the present invention) into a tape drive. Furthermore, a method of decrypting the storage extent storing encrypted data and saving in another storage extent is also disclosed.
Next, management of a virtual storage extent of encrypted data is explained.
With respect to this virtual storage extent management technology a detailed explanation is described in Published Japanese Patent Application No. 2004-005370, and therefore only a mechanism of a system in which a virtual storage extent technology is installed is briefly described herein.
FIG. 2 is a diagram showing a configuration example of a virtual storage extent management system. In FIG. 2, a storage system 101, a storage system 102 and a host computer 200 are connected by a network connection apparatus 400 comprising a data I/O network 401. The network connection apparatus 400 mounts a plurality of data I/O network interfaces 440, and respective data I/O network interfaces 440 are connected with a data I/O network interface 240 which is mounted on the host computer 200 and a data I/O network interface 140 which is mounted on the storage system 101 and the storage system 102 through a data I/O network 402.
The above is a physical network configuration of the system in which the virtual storage extent technology is installed. On the other hand, it is assumed as a logical configuration of the network connection apparatus 400 that a communication path 411 is provided between the data I/O interfaces 440 which are connected with the host computer 200 and the storage system 101, and similarly a communication path 412 is provided between the data I/O interfaces 440 which are connected with the storage system 101 and the storage system 102. Mutual communications between the host computer 200 and the storage system 101, and also between the storage system 101 and the storage system 102 becomes possible by the logical network configuration described hereinabove.
It should be noted that the storage system 101 and the storage system 102 may be connected directly by the data I/O network 402 without passing through the network connection apparatus 400.
A configuration and an input/output procedure of a virtual storage extent (volume) 121 provided in this storage system 101 is described hereinafter.
The virtual storage extent 121 is created in the storage system 101, and is configured such that this virtual storage extent 121 is associated with a logical storage extent 120 which is mounted on the storage system 102. Storage extent configuration information, in which a relation of this association is written, is saved in storage extent configuration information 1107 held in the storage system 101. Further, in this configuration, the host computer 200 transmits a data input/output command making the virtual storage extent 121 which is mounted on the storage system 101 as a target. When the storage system 101 receives this data input/output command, a virtual storage extent management program 1106 refers to the storage extent configuration information 1107 to understand that a destination of the commanded data input/output is the virtual storage extent 121. Next, the storage system 101 transfers the data input/output command received from the host computer 200 making the logical storage extent 120, which is associated with this virtual storage extent and is mounted on the storage system 102, as a target. The storage system 102 executes the commanded data input/output to the logical storage extent 120 when this data input/output command is received.
However, there exist following problems in the prior-art technologies described hereinbefore.
More specifically, a first problem is that in a state where a storage system has a function to encrypt data to be stored and also stores data encrypted by this function, and at the time of migrating this encrypted data into another storage system when removing an apparatus thereof, for example, it has been necessary to choose an storage system apparatus having a function capable of decrypting and encrypting this encrypted data as a migration destination. In addition, it has been difficult to choose an appropriate apparatus as the migration destination because there has been no means for managing compatibility among a plurality of encryption methods and a mounting situation thereof. Due to this reason, there has occurred such a risk that the data can not be decrypted after transfer when an apparatus having a compatible encryption function mounted is not chosen as the migration destination.
Also, a second problem is that in a situation where a storage system stores encrypted data, it has been necessary in the past to have such a procedure that decrypted data is once read in a host computer and the data is written into another storage system having another encryption method after the data is encrypted again by this method in order to update an encryption method of this data into another encryption method. However, there has been a risk of tapping and falsification in this method since plaintext data once flows on a network and is processed by the host computer.
Moreover, it has been necessary to perform load-imposing and time-consuming processing such as migration processing on the network and computation processing by the host computer.
In addition, a third problem is that in a situation where encrypted data is stored on a storage system, there has been such a problem that it becomes not possible to decrypt this data when an encryption function and an apparatus necessary for decrypting this data is removed.
It should be noted that the invention described in Published Japanese Patent Application No. 2001-331380 is not for an object of saving encrypted data which is an object of the present invention but focuses on an object of realizing how to decrypt efficiently encrypted data to read out to a host. Explaining further details, the storage system in Published Japanese Patent Application No. 2001-331380 is not aiming at decrypting and storing the data to be saved on a disk drive like the present invention but Published Japanese Patent Application No. 2001-331380 is the one describing the opposite operation, more specifically how to decrypt at the time of saving the encrypted data (refer to Published Japanese Patent Application No. 2001-331380).